KeyBase Keylogger Malware Family Exposed

In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

In total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly 1,500 unique sessions in the past four months. Attacks have primarily targeted the high tech, higher education, and retail industries.

Malware Distribution and Targets

KeyBase was first observed in mid-February of 2015. Shortly before then, the domain ‘keybase[.]in’,  was registered as a homepage and online store for the KeyBase keylogger.

Domain Name:KEYBASE.IN
Created On:04-Feb-2015 08:27:44 UTC
Last Updated On:05-Apr-2015 19:20:38 UTC
Expiration Date:04-Feb-2016 08:27:44 UTC

This activity is in-line with an initial posting made by a user with the handle ‘Support™’ announcing KeyBase on the hackforums.net forum on February 7, 2015. In the forum post, the malware touts the following features:

  • Advanced Keylogger
  • Fully undetected scan-time and run-time (Later removed)
  • User-friendly web-panel
  • Unicode support
  • Password recovery

hack forums

Figure 1. KeyBase posting on hackforums.net

Since February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can see below:

hack figure 2

Figure 2. KeyBase timeline in AutoFocus

We can also quickly determine targeted industries using AutoFocus:

hack figure 3

Figure 3. Targeted industries in AutoFocus

The targeted companies span the globe and are located in many countries.

hack figure 4

Figure 4. Targeted countries in AutoFocus

This malware is primarily delivered via phishing emails using common lures. Some examples of attachment filenames can be seen below:

  • Purchase Order.exe
  • New Order.exe
  • Document 27895.scr
  • Payment document.exe
  • PO #7478.exe
  • Overdue Invoices.exe

One such example of an email delivering KeyBase can be seen below.

hack figure 5

Figure 5. KeyBase phishing email

Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. As the software can be easily purchased by anyone, this comes as no surprise. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.

hack figure 6

Figure 6. KeyBase campaign diagram

Malware Overview

KeyBase itself is written in C# using the .NET Framework. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.

hack figure 7

Figure 7. KeyBase logo

Functionality in KeyBase includes the following:

  • Display a website on startup
  • Screenshots
  • Download/Execute
  • Persistence
  • Kill Timer

When the malware is initially executed, a series of threads are spawned.

hack figure 8

Figure 8. KeyBase main function

The various functions spawned in new threads may be inert based on options specified by the attacker during the build. Should a feature not be enabled, a function looks similar to the following:

hack figure 9

Figure 9. Inert functions in KeyBase

hack figure 10

Figure 10. KeyBase builder

The author makes use of a number of simple obfuscation techniques on various strings used within the code. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.

hack figure 11

Figure 11. String obfuscation using replace

hack figure 12

Figure 12. String obfuscation using reverse

Additionally, the author makes use of an ‘Encryption’ class. This class is used to decrypt a number of strings found within the code.

hack figure 13

Figure 13. KeyBase Encryption class

References to this decompiled code were discovered in an old posting on hackforums.net, where the user ‘Ethereal’ provided sample code.

hack figure 14

Figure 14. Encryption code posting on hackforums.net

We see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft Windows APIs.

hack figure 15

Figure 15. Obfuscated API functions in KeyBase

The following Python code can be used to decrypt these strings.

Persistence

Persistence in KeyBase, should it be enabled, is achieved using two techniques—copying the malware to the startup folder or setting the Run registry key to autorun on startup. When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the current version. The key used in the following Run registry key is set by the user, and is always a 32 byte hexadecimal value.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run [32 byte key] : [Path to Executable]

Keylogging

Keylogging in KeyBase is primarily accomplished in a separate class appropriately named ‘KeyHook.’ While the class shares a name with a publicly available repository on github, the class appears to be custom written. While custom, the class itself uses a very common technique of using the Microsoft Windows SetWindowsHookExA in order to hook the victim’s keyboard.

hack figure 16

Figure 16. Hooking keyboard via SetWindowsHookExA

The author proceeds to handle appropriate keyboard events as expected.

hack figure 17

Figure 17. Handling keyboard events

The class also has the ability to handle Unicode characters, as well as get the name of the foreground window. This allows the malware to not only identify what keys are being pressed, but what application said key presses are being sent to.

Command and Control (C2)

All communication with a remote server takes place via HTTP. Data is not encrypted or obfuscated in any way. Upon initial execution, KeyBase will perform an initial check-in to the remote server, as we can see below.

 hack figure 18Figure 18. Initial KeyBase notification HTTP GET request

A number of HTTP headers are not included with the request. This provides a simple technique for flagging the activity as malicious. It is also important to note that it is fairly elementary to detect the activity using the hardcoded GET variables included in the request. While the victim machine name and the current time will vary, the remainder of the request will remain static.

KeyBase may also send the following data back to its C2 server:

  • Keystrokes
  • Clipboard
  • Screenshots

Examples of this data can be seen below.

hack figure 19

Figure 19. KeyBase uploading clipboard data

hack figure 20

Figure 20. KeyBase uploading keystroke data

During this communication with its C2 server, KeyBase will include the raw clipboard and keystroke log data using various GET parameters. This data is URI-encoded, but otherwise sent in the clear.

Finally, Keybase will also use a specific URI to upload screenshots. The path ‘/image/upload.php’ is hardcoded within the malware. All images sent back to its C2 server will be placed within the ‘/image/Images/’ path. Uploaded data is once again sent unencrypted, as we can see below.

hack figure 21

Figure 21. KeyBase uploading screenshot image

Web Panel

The web panel itself does not provide any innovative characteristics. It uses a simple red/grey color scheme as seen below.

hack figure 22

Figure 22. KeyBase web panel

The panel does allow the attacker to quickly view infected machines, keystrokes, screenshots, clipboard data, and password data. Unfortunately, the author of KeyBase does not make use of pagination, which results in poor performance in the event a large amount of data is being displayed to the attacker.

Interesting Discoveries

During the course of our research, Unit 42 discovered that no authentication was required when viewing the ‘/image/Images/’ path. One C2 server in particular stood out because it appeared the operator was testing KeyBase on his/her local machine. As such, screenshots of his machine were uploaded to his server and could be viewed by the general public. In the screenshot below, we can clearly see the ‘KeyBase v1.0’ folder. This folder almost certainly contains the KeyBase installation. While viewing the operator’s desktop, we can also see a number of other keyloggers, such as ‘HawkEye Keylogger’ and ‘Knight Logger’. Also of note is a popular crypter named ‘AegisCrypter’. Finally, we can also see that the user engages in piracy, as copies of both ‘The Hobbit’ and ‘Fury’ appear on the desktop as well.

hack figure 23

Figure 23. KeyBase operator desktop screenshot

While continuing to examine the uploaded images, we also identify the user logging into a Windows Web Server 2008 R2 instance via remote desktop. This appears to be where the attacker is launching their spam campaigns using an instance of ‘Turbo-Mailer 2.7.10’. Unfortunately, it appears the operator had forgotten his/her username/password at this particular moment.

hack figure 24

Figure 24. KeyBase operator sending phishing emails

Further examination of the uploaded screenshots shows activity of the user logging into his/her Facebook account. The user looks to be named ‘China Onyeali’ and is observed discussing some of his/her latest endeavors. Specifically, we see a link to a .rar file hosted on rghost[.]net containing the following file. We also see the operator discussing the HawkEye keylogger in another chat window. The operator’s Facebook page claims that he/she lives in Mbieri, Nigeria. We previously reported on Nigerian actors using off-the-shelf tools to attack business in our 419 Evolution report last July. This user has been reported to the Facebook security team.

hack figure 25

Figure 25. KeyBase operator logged into Facebook

Further Interesting Discoveries

Other interesting discoveries were made while researching the backend C2 code. In particular, the upload.php file was examined and analyzed, as this file handles file uploads to the server. As we can see, there is no validation for the types of files uploaded to the remote server.

hack figure 26

Figure 26. KeyBase screenshot upload PHP script

This poses an issue from a security perspective, as a third party can simply upload a PHP script to the ‘/image/Images/’ directory to gain unauthorized access. The following PHP code can be used to read the KeyBase ‘config.php’ script, which contains the username and password for the web panel.

Additionally, the following Python code can be used to upload this file and read the results.

Conclusion

Overall, this KeyBase malware is quite unsophisticated. It lacks a number of features available in some of the more popular malware families, and the C2 web panel contains security vulnerabilities that could allow a third party to gain unauthorized access. The builder for KeyBase provides an easy-to-use, user-friendly interface; however, a number of options are hardcoded into the malware itself. Some examples include the filename KeyBase uses when it is copied to maintain persistence, and various URI paths it uses during the command and control phase.

While this malware has some issues with sophistication, Unit 42 has observed a significant and continued rise in usage by attackers, generally targeting the high tech, higher education, and retail industries. Palo Alto Networks customers are protected via WildFire, which is able to detect KeyBase as malicious. Readers may also use the indicators provided to deploy protections.

For a list of sample hashes and their associated domains and IP addresses, please see the following link.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS